From: Stefano Brivio <sbrivio@redhat.com>
To: Paul Holzinger <pholzing@redhat.com>, Max Chernoff <git@maxchernoff.ca>
Cc: passt-dev@passt.top
Subject: Re: [PATCH v2 1/1] selinux: Transition to pasta_t in containers
Date: Fri, 16 May 2025 18:11:02 +0200 [thread overview]
Message-ID: <20250516181102.6647635f@elisabeth> (raw)
In-Reply-To: <8703e232-0763-4d07-8803-e2f54aaed3f2@redhat.com>
On Fri, 16 May 2025 14:35:14 +0200
Paul Holzinger <pholzing@redhat.com> wrote:
> On 16/05/2025 14:22, Max Chernoff wrote:
> > Hi Paul,
> >
> > On Fri, 2025-05-16 at 13:59 +0200, Paul Holzinger wrote:
> >
> >> So I did test this patch with podman's system and e2e test on podman
> >> v5.5.0 on fedora rawhide and I noticed one problem that caused some
> >> failures:
> >>
> >> podman build is broken with this policy. And I assume that means buildah
> >> would not work as well. The difference is that in the build case we do
> >> not pass a bind mounted namespace path under /run but rather
> >> /proc/$pid/ns/net as path to pasta. We get this error:
> >>
> >> pasta failed with exit code 1:
> >> Couldn't open network namespace /proc/360143/ns/net: Permission denied
> >>
> >> Logged avc:
> >> denied { search } for pid=360144 comm="pasta.avx2" name="360143"
> >> dev="proc" ino=2030208
> >> scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023
> >> tcontext=unconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023
> >> tclass=dir permissive=0
> > Odd, it works for me:
> >
> > $ id -Z
> > user_u:user_r:user_t:s0-s0:c0.c1023
> >
> > $ podman --version
> > podman version 5.4.2
> >
> > $ pasta --version
> > pasta 0^20250512.g8ec1341-1.fc42.x86_64
> > Copyright Red Hat
> > GNU General Public License, version 2 or later
> > <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
> > This is free software: you are free to change and redistribute it.
> > There is NO WARRANTY, to the extent permitted by law.
> >
> > $ cat Containerfile
> > FROM registry.fedoraproject.org/fedora-minimal:42
> > RUN dnf install --assumeyes python3
> >
> > $ podman build --no-cache --network=pasta .
> > STEP 1/2: FROM registry.fedoraproject.org/fedora-minimal:42
> > STEP 2/2: RUN dnf install --assumeyes python3
> > Updating and loading repositories:
> > Fedora 42 - x86_64 - Updates 100% | 8.3 MiB/s | 6.8 MiB | 00m01s
> > Fedora 42 openh264 (From Cisco) - x86_ 100% | 7.7 KiB/s | 6.0 KiB | 00m01s
> > Fedora 42 - x86_64 100% | 12.3 MiB/s | 35.4 MiB | 00m03s
> > Repositories loaded.
> > Package Arch Version Repository Size
> > Installing:
> > python3 x86_64 3.13.3-2.fc42 updates 28.7 KiB
> > Installing dependencies:
> > expat x86_64 2.7.1-1.fc42 fedora 290.2 KiB
> > libb2 x86_64 0.98.1-13.fc42 fedora 46.1 KiB
> > libgomp x86_64 15.1.1-1.fc42 updates 538.5 KiB
> > mpdecimal x86_64 4.0.1-1.fc42 updates 217.2 KiB
> > python-pip-wheel noarch 24.3.1-2.fc42 fedora 1.2 MiB
> > python3-libs x86_64 3.13.3-2.fc42 updates 39.9 MiB
> > readline x86_64 8.2-13.fc42 fedora 485.0 KiB
> > tzdata noarch 2025b-1.fc42 fedora 1.6 MiB
> > Installing weak dependencies:
> > python-unversioned-command noarch 3.13.3-2.fc42 updates 23.0 B
> >
> > Transaction Summary:
> > Installing: 10 packages
> >
> > Total size of inbound packages is 12 MiB. Need to download 12 MiB.
> > After this operation, 44 MiB extra will be used (install 44 MiB, remove 0 B).
> > [ 1/10] python3-0:3.13.3-2.fc42.x86_64 100% | 109.6 KiB/s | 29.7 KiB | 00m00s
> > [...]
> > [12/12] Installing python-unversioned-c 100% | 9.6 KiB/s | 424.0 B | 00m00s
> > Complete!
> > COMMIT
> > --> edfb5d3fee4c
> > edfb5d3fee4c729c0ec373150bd382e5a8461bc6ce18b14bcc12606d65ee185f
> >
> > $ ps auxZ | grep pasta # In another terminal while the above is running
> > user_u:user_r:container_runtime_t:s0-s0:c0.c1023 test-us+ 497555 0.4 0.1 2533448 48028 pts/2 Sl+ 06:11 0:00 podman build --no-cache --network=pasta .
> > user_u:user_r:pasta_t:s0-s0:c0.c1023 test-us+ 497680 1.1 0.0 206444 17188 ? Ss 06:11 0:00 /usr/sbin/pasta --config-net --dns-forward 169.254.1.1 -t none -u none -T none -U none --no-map-gw --quiet --netns /proc/497672/ns/net --map-guest-addr 169.254.1.2
> >
> > What are the SELinux contexts of the network namespaces? This is what I
> > get:
> >
> > $ ls -laZ $XDG_RUNTIME_DIR/netns $XDG_RUNTIME_DIR/containers/networks/rootless-netns /proc/self/ns/net
> > ls: cannot access '/run/user/959/netns': No such file or directory
> > lrwxrwxrwx. 1 test-user test-user user_u:user_r:user_t:s0-s0:c0.c1023 0 May 16 06:15 /proc/self/ns/net -> 'net:[4026531840]'
>
> It seems to be unconfined for me
>
> lrwxrwxrwx. 1 test test
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 May 16 08:32
> /proc/self/ns/net -> 'net:[4026531840]'
>
> >
> > /run/user/959/containers/networks/rootless-netns:
> > total 0
> > drwx------. 2 test-user test-user user_u:object_r:ifconfig_var_run_t:s0 40 May 16 06:05 ./
> > drwx------. 3 test-user test-user user_u:object_r:user_tmp_t:s0 60 May 16 06:05 ../
> /run/user/1001/containers/networks/rootless-netns:
> total 0
> drwx------. 2 test test unconfined_u:object_r:ifconfig_var_run_t:s0 40
> May 16 06:26 .
> drwx------. 4 test test unconfined_u:object_r:user_tmp_t:s0 120 May 16
> 06:26 ..
>
> /run/user/1001/netns:
> total 0
> drwxr-xr-x. 2 test test unconfined_u:object_r:ifconfig_var_run_t:s0 40
> May 16 07:31 .
> drwx------. 9 test test unconfined_u:object_r:user_tmp_t:s0 200 May 16
> 06:19 ..
I'm getting the same issue with 'podman build' and the Containerfile
shared by Max. Running with SELinux in permissive mode, I'm getting:
# cat /var/log/audit/audit.log
type=AVC msg=audit(1747410763.621:130615): avc: denied { search } for pid=1352409 comm="pasta.avx2" name="1352408" dev="proc" ino=7022238 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 tclass=dir permissive=1
type=AVC msg=audit(1747410763.621:130616): avc: denied { read } for pid=1352409 comm="pasta.avx2" name="net" dev="proc" ino=7022285 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 tclass=lnk_file permissive=1
type=AVC msg=audit(1747410763.622:130617): avc: denied { read } for pid=1352409 comm="pasta.avx2" scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 tclass=file permissive=1
type=AVC msg=audit(1747410763.622:130618): avc: denied { read } for pid=1352409 comm="pasta.avx2" name="ns" dev="proc" ino=7022284 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 tclass=dir permissive=1
type=AVC msg=audit(1747410763.622:130619): avc: denied { open } for pid=1352409 comm="pasta.avx2" path="/proc/1352408/ns" dev="proc" ino=7022284 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 tclass=dir permissive=1
type=AVC msg=audit(1747410764.622:130620): avc: denied { read } for pid=1352417 comm="pasta.avx2" name="net" dev="proc" ino=7022285 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=system_u:system_r:container_t:s0:c609,c838 tclass=lnk_file permissive=1
and:
# audit2allow -a
#============= pasta_t ==============
allow pasta_t container_runtime_t:dir { open read search };
allow pasta_t container_runtime_t:file read;
allow pasta_t container_runtime_t:lnk_file read;
allow pasta_t container_t:lnk_file read;
If I add those rules, everything works (well, I'm not saying that's
the solution...). This is a Fedora virtual machine with:
# uname -a
Linux passt.top 6.11.0-0.rc3.30.fc41.x86_64 #1 SMP PREEMPT_DYNAMIC Mon Aug 12 14:18:21 UTC 2024 x86_64 GNU/Linux
# rpm -qe podman passt
podman-5.5.0~rc2-1.fc43.x86_64
passt-0^20250512.g8ec1341-1.fc43.x86_64
To me those denials look reasonable, in the sense that I would expect
the namespace links to have container_runtime_t type.
By the way:
$ ls -laZ $XDG_RUNTIME_DIR/netns $XDG_RUNTIME_DIR/containers/networks/rootless-netns /proc/self/ns/net
lrwxrwxrwx. 1 sbrivio sbrivio unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 May 16 15:59 /proc/self/ns/net -> 'net:[4026531840]'
/run/user/1001/containers/networks/rootless-netns:
total 0
drwx------. 2 sbrivio sbrivio unconfined_u:object_r:ifconfig_var_run_t:s0 40 May 15 15:00 .
drwx------. 4 sbrivio sbrivio unconfined_u:object_r:user_tmp_t:s0 120 May 15 15:00 ..
/run/user/1001/netns:
total 0
drwxr-xr-x. 2 sbrivio sbrivio unconfined_u:object_r:ifconfig_var_run_t:s0 40 May 15 15:00 .
drwx------. 8 sbrivio sbrivio unconfined_u:object_r:user_tmp_t:s0 220 May 6 08:02 ..
Max, could it be that you're running stuff with some customised SELinux
policy? By the way, with "unconfined disabled":
https://bugzilla.redhat.com/show_bug.cgi?id=2330512
we seem to have unconfined_t as type for those links:
type=AVC msg=audit(1733378482.320:31258): avc: denied { open } for pid=651955 comm="pasta.avx2" path="/proc/651954/ns" dev="proc" ino=2904841 scontext=staff_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=staff_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dir permissive=1
...but I'm not sure at which point in time exactly.
> >> I am not familiar with the selinux stuff but if this is a boolean that
> >> users can configure should this be documented in the man page here?
> > I guess more documentation is always a good thing, but most of the other
> > container-related SELinux booleans seem to be undocumented:
> >
> > $ sudo semanage boolean --list | grep ^container_
> > container_connect_any (off , off) Determine whether container can connect to all TCP ports.
> > container_manage_cgroup (on , on) Allow sandbox containers to manage cgroup (systemd)
> > container_read_certs (off , off) Allow all container domains to read cert files and directories
> > container_use_cephfs (off , off) Determine whether container can use ceph file system
> > container_use_devices (off , off) Allow containers to use any device volume mounted into container
> > container_use_dri_devices (on , on) Allow containers to use any dri device volume mounted into container
> > container_use_ecryptfs (off , off) Determine whether container can use ecrypt file system
> > container_use_xserver_devices (off , off) Allow containers to use any xserver device volume mounted into container, mostly used for GPU acceleration
> > container_user_exec_content (on , on) Allow container to user exec content
> >
> > $ man -wK container_connect_any
> > No manual entry for container_connect_any
> >
> > $ man -wK container_manage_cgroup
> > /usr/share/man/man1/podman-create.1.gz
> > /usr/share/man/man1/podman-run.1.gz
> > /usr/share/man/man7/podman-troubleshooting.7.gz
> >
> > $ man -wK container_read_certs
> > No manual entry for container_read_certs
> >
> > $ man -wK container_use_cephfs
> > No manual entry for container_use_cephfs
> >
> > $ man -wK container_use_devices
> > /usr/share/man/man1/sesearch.1.gz
> > /usr/share/man/man1/podman-pod-clone.1.gz
> > /usr/share/man/man1/podman-pod-create.1.gz
> > /usr/share/man/man1/podman-build.1.gz
> > /usr/share/man/man1/podman-farm-build.1.gz
> > /usr/share/man/man1/podman-create.1.gz
> > /usr/share/man/man1/podman-run.1.gz
> > /usr/share/man/man8/setsebool.8.gz
> >
> > $ man -wK container_user_exec_content
> > No manual entry for container_user_exec_content
> >
> > I'll send a patch for the man pages tomorrow.
Wait a moment. I don't think something SELinux-specific belongs to
pasta's man page, because that's not relevant for all users and
distributions.
We could maintain that as an addition for Fedora and perhaps Gentoo,
but I wonder if it's really worth the effort. Besides, I think that:
# semanage boolean --list | grep pasta
pasta_allow_bind_any_port (on , on) Allow pasta to allow bind any port
...this is the common practice to document those knobs (and where I
usually look for things). We wouldn't have much to add to this anyway.
--
Stefano
next prev parent reply other threads:[~2025-05-16 16:11 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-14 10:44 [PATCH 0/1] selinux: Transition to pasta_t in containers Max Chernoff
2025-05-14 10:44 ` [PATCH 1/1] " Max Chernoff
2025-05-15 13:40 ` Stefano Brivio
2025-05-15 15:55 ` Stefano Brivio
2025-05-14 12:26 ` [PATCH 0/1] " Stefano Brivio
2025-05-16 5:11 ` [PATCH v2 " Max Chernoff
2025-05-16 6:22 ` Stefano Brivio
2025-05-16 5:11 ` [PATCH v2 1/1] " Max Chernoff
2025-05-16 11:59 ` Paul Holzinger
2025-05-16 12:22 ` Max Chernoff
2025-05-16 12:35 ` Paul Holzinger
2025-05-16 16:11 ` Stefano Brivio [this message]
2025-05-17 9:34 ` Max Chernoff
2025-05-19 7:39 ` Stefano Brivio
2025-05-20 10:37 ` [PATCH v3 0/1] " Max Chernoff
2025-05-20 16:08 ` Stefano Brivio
2025-05-24 7:16 ` [PATCH v4 " Max Chernoff
2025-05-24 7:16 ` [PATCH v4 1/1] " Max Chernoff
2025-05-20 10:37 ` [PATCH v3 " Max Chernoff
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250516181102.6647635f@elisabeth \
--to=sbrivio@redhat.com \
--cc=git@maxchernoff.ca \
--cc=passt-dev@passt.top \
--cc=pholzing@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://passt.top/passt
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for IMAP folder(s).